Serge Truth

Serge Truth
Serge is a Content Lead here at Security Innovation. He is an IT and Information Security professional, certified by the Committee on National Security Systems Instruction.

Recent Posts

Mitigating Common Password Attacks

by Serge Truth on September 27, 2016 at 10:47 AM

Multiple options are available for mitigating automated password guessing attacks and choosing the most appropriate one(s) requires understanding the trade-offs between security and usability of each. Regardless, the goal...

Drupal SQL Injection

by Serge Truth on October 28, 2014 at 9:07 AM

Threat Assessment

The SQL Injection vulnerability in Drupal versions 7.0 through 7.31 is an extremely dangerous vulnerability that is likely to have profound implications for the Internet as a whole. This vulnerability is...

Applications can be protected from ShellShock and other similar vulnerabilities by following secure application development best practices that are used to prevent Command Injection vulnerabilities. ShellShock is a special...

Shell upload vulnerabilities allow an attacker to upload a malicious PHP file and execute it by accessing it via a web browser. The "shell" is a PHP script that allows the attacker to control the server - essentially a...

Code Injection vulnerabilities are often easy to exploit and because they allow attackers to execute arbitrary PHP code using the application’s own privileges, they can result in a lot of damage. They are typically exploited...

Command Injection vulnerabilities are extremely dangerous, often easy to exploit, and give attackers the ability to execute operating system commands with the privileges of the web application user. These properties allow...

One of the most effective overall application security controls is input validation, which checks user input to determine if it is valid data.  For example, an input field for a person's first name might reject the string...

An important step in hardening the PHP environment is configuring the php.ini file properly and disabling functions that may be useful to an attacker but not necessary to the application. However, make sure that PHP is...

PHP is the most commonly used web application framework and the level of security it provides is often debated. However, what is factual is that it has no default security mechanism. Identical PHP applications are often...

What to Check For

Ensure that accounts are locked after consecutive failed login attempts.